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1 Background 

1.1. Why risk appetite framework 

The development and establishment of an effective Risk Appetite Framework is an iterative 
and evolutionary process that requires ongoing dialogue throughout the municipality and to 
attain buy-in across the municipality. The framework sets the municipality’s risk profile and 
forms part of the process of development and implementation of the municipality’s strategy 
and determination of the risks undertaken in relation to the municipality’s risk capacity. 

An effective framework should provide a common framework and comparable measures 
across the municipality for senior management and Council to communicate, understand, and 
assess the types and level of risk that they are willing to accept. It explicitly defines the 
boundaries within which management is expected to operate when pursuing the municipality’s 
strategy. 

The risk appetite framework facilitates the determination, review and oversight of risk 
appetite. It acts as a key bridge between the municipality’s strategy and its risk management 
framework. The risk appetite should be updated in line with changes to the strategy of the 
organisation (and vice versa, as neither the strategy nor the risk appetite should be developed 
in isolation from the other but rather as part of a unified process) and should also evolve in 
line with the development of its risk management framework. 

The assessment of the municipality’s consolidated risk profile against its risk appetite should 
also be an ongoing and iterative process. Implementing an effective framework requires an 
appropriate combination of policies, processes, controls, systems and procedures to 
accomplish a set of objectives. 

1.2. Definition of risk appetite 

The Treadway Commission COSO Enterprise Risk Management - Risk Appetite Framework, 
states the following- 

"The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It 
reflects the entity’s risk management philosophy, and in turn influences the entity’s culture 
and operating style. ... Risk appetite guides resource allocation. ... Risk appetite [assists the 
organization] in aligning the organization, people, and processes in [designing the] 
infrastructure necessary to effectively respond to and monitor risks ”. 


1.3. Benefits of a risk appetite framework 

According to COSO the following benefits flow from an effective risk appetite framework: 

• it is strategic and is related to the pursuit of organizational objectives; 

• forms an integral part of corporate governance; 

• guides the allocation of resources; 

• guides the municipality’s infrastructure, supporting its activities related to recognizing, 
assessing, responding to, and monitoring risks in pursuit of organizational objectives; 

• influences the municipality’s attitudes towards risk; 

• is multi-dimensional, including when applied to the pursuit of value in the short term and 
the longer term of the strategic planning cycle; and 

• requires effective monitoring of the risk itself and of the municipality’s continuing risk 
appetite; and 

• enhanced risk management strategy decisions through quantification of risk appetite. 
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1.4. Objectives of a risk appetite framework 

The objective of a framework is to help management make informed decisions and includes: 

• establish a process for communicating the Risk Appetite Framework across and within the 
municipality; 

• be driven by both top-down and bottom-up involvement of management at all levels, and 
embedded and understood across the municipality; 

• facilitate embedding risk appetite into the municipality’s risk culture; 

• evaluate opportunities for appropriate risk taking and act as a defence against excessive 
risk-taking; 

• allow for the risk appetite statement to be used as a tool to promote robust discussions on 
risk and as a basis upon which risk management and internal audit functions can 
effectively and credibly debate and challenge management recommendations and 
decisions; 

• be adaptable to changing business and market conditions so that, subject to approval by 
senior management and Council as appropriate, opportunities that require an increase in 
the risk limit could be met while remaining within the agreed municipal wide risk 
appetite; 

• cover activities, operations and systems of the municipality that fall within its risk 
landscape but are outside its direct control, including suppliers; and 

• be consistent with the principles in this document. 


1.5. Characteristics of a risk appetite framework 

A well-defined risk appetite should have the following characteristics: 

• Reflective of strategy including organisational objectives, business and stakeholder 
expectations; 

• Reflective of all key aspects of the business; 

• Documented as a formal risk appetite statement; 

• Acknowledges a willingness and capacity to take on risk; 

• Considers the skills, resources and technology required to manage and monitor risk 
exposures in the context of risk appetite; and 

• Has been approved by Council. 





2 Methodology 

Risk management is a process, not an event and requires the municipality to pay closer attention to 
the developments both in the external and control environments. Top management’s strategic 
direction and commitment are also regarded as very important, if risk management processes are to 
be successful and effective. 

Management is expected to lead the process and ensure that everybody within the municipality 
understands the benefits of risk management. This represents the challenge to management to set the 
tone or to establish a supportive internal environment. 

Involvement of all personnel and at all levels of management ensures that risk management activities 
are applied consistently across all levels within the municipality. Again, the philosophy that 
everybody is a risk manager, ensures that everybody is involved in risk management process. 

Implementation of risk appetite can take place via the following two approaches: 

• it can be developed from the top down (in which case risk appetite is set by the Council and 
then implemented across the municipality); or 

• from the bottom up, which would typically involve individual departments determining then 
own appetites towards various types of risk and then aggregating these appetites throughout the 
organisation to arrive at an aggregated risk appetite for the entire municipality. 

Ultimately, it will be a matter for Council to approve the final risk appetite regardless of whether a 
top down or bottom up approach is adopted. 

The municipality will follow a top down approach and the methodology to be followed will be: 

2.1 Criteria 

Risk appetite should be evolved from and support the strategic planning and objectives of the 
municipality. The risk appetite framework helps articulate die risk to the municipality that could 
potentially impact on the achievement of the strategic goals (positively or negatively). The 
municipality should take into account: 

• The municipality’s core strategy; 

• If the municipality has a zero tolerance approach regarding compliance, it should be clearly 
documented in policies and as such enforced; 

• Before setting risk appetite, it helps to classify risk into different categories that the 
municipality is, or may be, exposed to in the pursuit of its objectives; 

• It is important to have a holistic view of all the risks to which the municipality is exposed, 
including what approach it will take in managing them; and 

• Capacity and maturity of the risk management function. 


2.2 Stakeholder engagement 

The municipality should engage with all stakeholders to ensure that both risk taking and control 
activities are aligned and that possible differences are identified at this stage. All stakeholders 
need to be at least considered when setting risk appetite. 


2.3 Development of the risk appetite 

The development of the risk appetite takes the following into account: 

• Obtain all the risk registers for the municipality; 

• Combine the risk registers into one global risk register; 

• Sort the risk as per the global risk register from high to low; 



• Determine from the stakeholders how much risk taking capacity the municipality is willing 
to take ie top 30 risk only; 

• Once agreed on the number of the risk that the municipality is willing to take, this becomes 
the risk appetite; and 

• Finally the municipality will need to formalise the results of the above process through the 
documentation of the municipality’s risk appetite in a formal risk appetite statement. 

2.4 Approve 

The risk appetite statement should then be approved by Council prior to communicating the 

document to the wider municipality. 


2.5 Implement 

Once the risk appetite has been approved by Council, it should be: 

• Clearly communicated and cascaded through the municipality: 

• Integrated into the risk management framework; and 

• Actively used in the strategic management of the municipality. 


2.6 Reporting 

Reporting on the risk appetite should take place both internally and externally. The internal 
reports will require reporting to management on a frequency basis and externally reporting via 
the annual report. Reporting can include the following: 

• Compliance with approved risk appetite 

• Trends in data over time 

• Compliance (or non-compliance) with approved risk policies 

The overall reporting process needs to be facilitated by a comprehensive governance framework 
in order to ensure that an appropriate escalation process is in place and that appropriate actions 
are taken in response to risk appetite breaches. It is important that these actions also include an 
effective feedback loop into the setting of the risk appetite so that the risk appetite framework 
can continue to be appropriate to the municipality. 


2.7 Review 

The Risk Appetite Statement should be reviewed annually, or whenever there is a significant 
change to the municipality’s operating environment to ensure alignment with the ever evolving 
municipal strategy, risk environment and the municipal performance. An analysis could also be 
done taking into consideration of what worked well, what failed and what needs to be done 
differently next time. 







Roles and responsibilities 

The people responsible for risk appetite can be categorised into four distinct categories, namely 
implementers, support function, oversight and assurance providers. 


3.1 Implementers 

3.1.1 The Accounting Officer (Municipal Manager) 

The Municipal Manager is ultimately responsible for risk management within the 
municipality. The Municipal Manager is accountable to the Council regarding the 
effectiveness of the risk management process. By setting the tone at the top, the 
Municipal Manager promotes accountability, integrity and other factors that create a 
positive control environment. 

The roles of the Municipal Manager relating to the risk appetite include the following: 

• establish an appropriate risk appetite for the municipality (in collaboration with the 
CRO) which is consistent with the municipality’s short- and long term strategy, 
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• be accountable, together with the CRO and managers for the integrity of the Risk 
Appetite Framework, including the timely identification and escalation of breaches in 
risk limits and of material risk exposures; 

• ensure, in conjunction with the CRO, that the risk appetite is appropriately translated 
into risk limits for strategic and financial planning, decision-making processes and 
compensation decisions; 

• ensure that the municipality’s wide risk appetite statement is implemented by 
management; 

• provide leadership in communicating risk appetite to internal and external 
stakeholders so as to help embed appropriate risk taking into the municipality’s risk 
culture; 

• set die proper tone and example by empowering and supporting the CRO in his/her 
responsibilities, and effectively incorporating risk appetite into the municipality’s 
decision-making processes; 

• ensure managers have appropriate processes in place to effectively identify, measure, 
monitor and report on the risk profile relative to established risk limits on a continual 
basis; 

• dedicate sufficient resources and expertise to risk management, internal audit and IT 
infrastructure to help provide effective oversight of adherence to the framework; 

• act in a timely manner to ensure effective management, and where necessaiy 
mitigation, of material risk exposures, in particular those that are close to or exceed 
the approved risk appetite statement and/or risk limits; and 

• notifying RMC and the Council of serious breaches of risk limits and unexpected 
material risk exposures. 

3.1.2 Management 

Management at all levels within the municipality owns the risks, thus in taking that 
ownership they also accountable to the Municipal Manager for integrating the principles 
of risk management into their daily routines to enhance the achievement of their service 
delivery objectives. 

In discharging their high level responsibilities relating to risk appetite, management: 

• ensure alignment between the approved risk appetite and planning, compensation, and 
decision-making processes of the municipality; 



• embed the risk appetite statement and risk limits into management’s activities so as to 
embed prudent risk taking into the municipality’s risk culture and day to day 
management of risk; 

• establish and actively monitor adherence to approved risk limits; 

• implement controls and processes to be able to effectively identify, monitor and report 
against allocated risk limits; 

• act in a timely manner to ensure effective management, and where necessary, 
mitigation of material risk exposures, in particular those that exceed or have the 
potential to exceed the approved risk appetite and/or risk limits; and 

• escalate promptly breaches in risk limits and material risk exposures to the CRO and 
senior management in a timely manner. 


3.2 Risk Management Support 

3.2.1 Chief Risk Officer (CRO) 

Accountability for risk management in the municipality is assigned to the Accounting 
Officer (Municipal Manager) and is sub-delegated to the CRO to facilitate and coordinate 
the development and implementation of risk. 

The CRO provides specialist expertise in providing a comprehensive support service to 
ensure systematic, uniform and effective enterprise risk management. The CRO plays a 
vital communication link between operational level, management, senior management, 
risk management committee and other relevant committees. 

High level responsibilities to achieve this include: 

• develop an appropriate risk appetite for the municipality that meets the needs of the 
municipality; 

• obtain Council’s approval of the developed risk appetite and regularly report to 
Council on the municipality’s risk profile relative to risk appetite; 

• actively monitor the municipality’s risk profile relative to its risk appetite, strategy 
and risk capacity; 

• establish a process for reporting on risk and on alignment (or otherwise) of risk 
appetite and risk profile with the municipality’s risk culture; 

• ensure the integrity of risk measurement techniques and information systems that are 
used to monitor the municipality’s risk profile relative to its risk appetite; 

• establish and approve appropriate risk limits for the municipality that are consistent 
with the municipality’s risk appetite statement; 

• independently monitor the municipality’s risk limits aggregate risk profile to ensure 
they remain consistent with the municipality’s risk appetite; 

• act in a timely manner to ensure effective management, and where necessaiy 
mitigation, of material risk exposures, in particular those that are close to or exceed 
the approved risk appetite and/or risk limits; and 

• escalate promptly to Council and the Accounting Officer any material risk limit 
breach that places the municipality at risk of exceeding its risk appetite, and in 
particular, of putting in danger the financial condition of the municipality. 

3.3 Risk Management Oversight 

3.3.1 Council 

Council is responsible for overseeing the complete spectrum of governance within 
Cederberg Municipality. This responsibility would therefore also includes: 

• approve the municipality’s Risk Appetite Framework and ensure it remains consistent 
with the municipality’s short- and long-term strategy, business and capital plans, risk 
capacity as well as compensation programs; 




• hold the Accounting Officer and management accountable for the integrity of the 
framework, including the timely identification, management and escalation of 
breaches in risk limits and of material risk exposures; 

• discuss and monitor to ensure appropriate action is taken regarding “breaches” in risk 
limits; 

• question management regarding activities outside the Council-approved risk appetite 
statement, if any; 

• obtain an independent assessment (through internal assessors, third parties or both) of 
the design and effectiveness of the framework and its alignment with supervisory 
expectations; 

• satisfy itself that there are mechanisms in place to ensure management can act in a 
timely manner to effectively manage, and where necessary mitigate, material adverse 
risk exposures, in particular those that are close to or exceed the approved risk 
appetite statement or risk limits; 

• ensure adequate resources and expertise are dedicated to risk management as well as 
internal audit in order to provide independent assurances to Council and management 
that they are operating within the approved framework, including the use of third 
parties to supplement existing resources where appropriate; and 

• ensure risk management is supported by adequate and robust information system to 
enable identification, measurement, assessment and reporting of risk in a timely and 
accurate manner. 

3.3.2 Risk Management Committee (RMC) 

In discharging its oversight responsibilities relating to the risk appetite framework: 

• ensure that the risk appetite framework is approved by the Council; 

• evaluate the effectiveness of mitigating strategies implemented to address the material 
risks of the municipality (treatment action plans); 

• ensure that the committee is informed of all changes to the risk management strategy, 
implementation plan, policy and framework; 

• review and monitor the effectiveness of risk control systems,'the reliability and 
accuracy of risk management reporting and fraud prevention plan; 

• review any material findings and recommendations by assurance providers on the 
system of risk management and monitor that appropriate action is instituted to address 
the identified weaknesses; and 

• provide guidance to the CRO and other relevant risk management stakeholders on 
how to manage risks within the risk appetite level; 


3.4 Risk Management Assurance Providers 

3.4.1 Internal Audit 

Internal Audit is responsible for providing independent assurance on the effectiveness of 
risk management, controls and governance processes, as designed and represented by 
management, are adequate and function in a manner to ensure that amongst other things 
risks are appropriately identified and managed, based on the scope of their coverage plan. 

Responsibilities of Internal Audit in the risk appetite process include: 

• routinely include assessments of the Risk Appetite Framework on a municipal basis; 

• identify whether breaches in risk limits are being appropriately identified, escalated 
and reported, and report on the implementation of the framework to the Audit 
Committee and Council as appropriate; 

• independently assess periodically the design and effectiveness of the framework and 
its alignment with management expectations; 



• assess the effectiveness of the implementation of the framework, including linkage to 
organisational culture, as well as strategic and business planning, compensation, and 
decision-making processes; 

• assess the design and effectiveness of risk measurement techniques and information 
systems used to monitor the municipality’s risk profile in relation to its risk appetite; 

• report any material deficiencies in the risk appetite framework and on alignment of 
risk appetite and risk profile with risk culture to Council, Audit Committee and 
management in a timely manner; and 

• evaluate the need to supplement its own independent assessment with expertise from 
third parties to provide a comprehensive independent view of the effectiveness of the 
risk appetite framework. 


4 Conclusion 

It is clear that the process of determining an appropriate risk appetite is a challenging one. Apart 
from the many practical challenges which must be overcome, ranging from achieving a consistent 
understanding of risk management terminology to the identification of the range of risks being 
borne, there are many technical aspects to be tackled as well. These include how to measure risks 
and how to set appetite. Risk appetite needs to become embedded into the municipality. It does not 
stand alone, but rather fits into the fabric of the risk management process. It requires support from 
key control functions such as Internal Audit, Compliance, and Risk Management in order to operate 
effectively. Above all though, it needs to achieve buy-in from all stakeholders. 

Greater understanding of risk and the risks being faced by the municipality is a powerful tool for 
aligning stakeholder interests and ultimately giving the municipality the best chance of achieving its 
strategic goals and objectives. 





4 Glossary 


Terminology 

Definition of terminology 

Enterprise Risk Management 

(ERM) 

Entity Risk Management is a structured and consistent approach across the municipality that aligns strategy, 
processes, people, technology and knowledge with the purpose of evaluating and managing the risks (threats 
and opportunities) to create stakeholder value. 

Process 

Structured set of activities within an entity, designed to produce a specified output. 

Risk 

Risks are uncertain future events (threats and opportunities) that could influence the achievement of the goals 
and objectives of the municipality. 

Risk Assurance 

The Risk Assurance functions are that of Internal and External Audit (Auditor General) and it is in their scope 
of work to provide assurance opinions. 

Risk Appetite Framework 

(RAF) 

The overall approach, including policies, processes, controls, and systems through which risk appetite is 
established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of 
the roles and responsibilities of those overseeing the implementation and monitoring of tire RAF. The RAF 
should consider- material risks to the financial institution, as well as to the institution’s reputation vis-a-vis 
policyholders, depositors, investors and customers. The RAF aligns with the institution's strategy. 

Risk Appetite Statement 

The articulation in written form of the aggregate level and types of risk that a municipality is willing to accept, 
or to avoid, in order to achieve its business objectives. It includes qualitative statements as well as quantitative 
measures expressed relative to risk measures, and other relevant measures as appropriate. It should also address 
more difficult to quantify risks such as reputation and conduct risks as well as unethical practices. 

Risk Capacity 

The maximum level of risk the municipality can assume given its current level of resources, tire operational 
environment (e.g.technicai infrastructure, risk management capabilities, expertise) and obligations, also from a 
conduct perspective, to all stakeholders. 

Risk Limits 

Quantitative measures based on forward looking assumptions that allocate the municipality’s aggregate risk 
appetite statement (e.g. measure of loss or negative events) to business lines, legal entities as relevant, specific 
risk categories, concentrations, and as appropriate, other levels. 

Risk Management 

Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, 
assessing, understanding, acting on and communicating risk issues and opportunities. 

Risk Policy 

Serves as a foundation for the municipality’s ERM activities, as it encapsulates management’s philosophy and 
approach to risk management. 

Risk Profile 

Identification and listing ofrisks, typically in order of highest to lowest based on a qualitative or quantitative 
measurement approved by management. 

Risk Ratings 

The analysis of risks identified in terms of impact and likelihood to obtain an inherent risk rating. The final 
rating assessment relates to control confidence and offset against the inherent risk assessment leaves the 
residual risk assessment exposure rating. 

Risk Strategy 

The approach adopted for associating and managing risks based on the municipality’s objectives, strategies and 

programmes. 

Risk Supporter 

The support structure is the back-bone to the success of risk management in the organization e.g. National 
Treasury provides structures in which to work, hut the work needs to be planned, coordinated, organized and 

controlled. 


Risk Management Committee 
(RMC) 


The Risk Management Committee of the municipality that provides oversight to the ERM environment. 





























